Facebook failed to protect the privacy rights of many of its Canadian users in last year’s Cambridge Analytica scandal, Canada’s and British Columbia’s privacy commissioners concluded in a damning report released Thursday that followed a yearlong investigation.

Federal privacy commissioner Daniel Therrien and his B.C. counterpart, Michael McEvoy, said Facebook failed to obtain “valid and meaningful” consent from certain users that had installed a third-party app allegedly to have been discreetly used to harvest their personal information for political purposes, along with the users’ friends.

The privacy commissioners concluded that Facebook was unable to demonstrate that the app obtained proper consent for its purposes, including any political purposes, or that the company made reasonable efforts to ensure that the app did try to obtain fair consent from its users.

That failure extended to the friends of users who had installed the app, the report stated. Facebook “unreasonably” relied on installing users to provide consent on behalf of all of their friends to release their information even though the friends would have had no knowledge of such a disclosure.

The two commissioners concluded that the social media violated both federal and provincial privacy laws.

Facebook disputed the investigation’s findings and refuses to implement its recommendations, the report noted. Therrien signalled Thursday he wants to take Facebook to Federal Court in order to get the company to overhaul its privacy practices.

The federal privacy commissioner currently lacks disciplinary powers and Facebook is not required by law to follow on its suggestions.

Speaking to reporters Thursday, Therrien highlighted the need for legislation in order to give his office more enforcement powers.

“I don’t think it should be in 2019 … that a private company with its interests can say to a regulator: ‘thank you very much for your conclusion on matters of law but we actually disagree and will actually continue as we were.’” Therrien said in a press conference with McEvoy. “It’s completely unacceptable.”

Last year’s controversy centred on the now-defunct British political consulting firm that harvested the data of millions of Facebook users worldwide inappropriately in order to help U.S. President Donald Trump’s 2016 election campaign.

In the following months, Facebook faced intense backlash in Canada and abroad that it did little to prevent the harvesting of data to happen and lacked the safeguards to prevent such access. Facebook and Cambridge Analytica have been the focus of multiple international investigations.

The report concluded that about 622,000 users in Canada were affected by the scandal.

‘Superficial’ safeguards

The privacy commissioners also concluded that Facebook lacked the proper safeguards to protect user information and failed to be accountable for the user information under its control.

The social media giant relied on contractual terms with apps to protect against unauthorized access to users’ information, but then put in place “superficial, largely reactive, and thus ineffective” monitoring to ensure compliance with those terms, the report stated.

As well, Facebook did not take responsibility for giving “real and meaningful effect” to the privacy protection of its users, and instead “abdicated its responsibility for the personal information under its control, effectively shifting that responsibility almost exclusively to users” and the app.

The company had relied on “overbroad” consent language and consent mechanisms not supported by meaningful implementation. The privacy commissioners also said existing privacy safeguards were “superficial and did not adequately protect users’ personal information.”

“The sum of these measures resulted in a privacy protection framework that was empty,” stated the report.

In a statement, Facebook said that after “many months” of cooperation and negotiations, it’s “disappointed” that Office of the Commissioner of Privacy (OPC) considers the issues raised in the report unresolved.

“There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information,” the company said.

“We understand our responsibility to protect people’s personal information, which is why we’ve proactively taken important steps towards tackling a number of issues raised in the report and worked with the OPC to offer additional concrete measures we can take to address their recommendations, which includes offering to enter into a compliance agreement.”

Some of the improvements the company has touted include limiting the information developers can access from the site, removing developers’ access to a person’s data if they haven’t used their app in the past three months and reducing the data someone gives to an app when they sign in to only their name, profile photo, and email address. It has also launched a ‘data abuse bounty’ program that allows users to report to Facebook misuses of data by app developers.

Facebook reluctant to provide answers

However, the report said many of the investigators’ questions to the social media giant have gone unanswered and certain responses were either incomplete or otherwise deficient. Facebook was unable to provide evidence of enforcement actions taken in relation to privacy-related contraventions of those contractual requirements.

Facebook also rejected the commissioners’ recommendations after they met with the company in February. Those include “adequate monitoring, to ensure that it obtains meaningful and valid consent from installing users and their friends.”

The privacy commissioners had looked specifically at the roles of Facebook and Canadian company AggregateIQ in the data breach and whether the organizations violated Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and B.C.’s Personal Information Protection Act.

PIPEDA requires “meaningful and informed consent” in order for companies to collect, use and disclose personal information for commercial activities. The act also says that companies must be accountable for how they oversee personal information in their care and ensure it’s not disclosed inappropriately.

The whistleblower, Canadian-born Christopher Wylie — who formerly worked at Cambridge Analytica — had also accused Victoria-based software development and marketing firm AggregateIQ of drawing on Cambridge Analytica’s databases to help the Leave campaign during the 2016 Brexit referendum.

Facebook has made changes in recent years to help users understand what apps they’ve allowed to access their data. The company has also committed to conducting a full review of any app with suspicious activity, vowing to ban developers found to have misused personally identifiable information and inform users affected by this activity.

Past warnings

The privacy commissioners also wrote that the failures are “extremely concerning” given that, in a 2009 investigation of Facebook, the federal watchdog also found similar contraventions around poor consent practices for disclosing personal information in third-party apps, as well as inadequate monitoring.

“In our view, if Facebook had implemented the OPC’s recommendations and its eventual commitments meaningfully … the risk of unauthorized access and use of Canadians’ personal information by third-party apps would have been avoided or significantly mitigated,” the report stated.

The report noted that Facebook’s rejection of the recommendations “highlight critical weaknesses within the current Canadian privacy protection framework and underscore an urgent need for stronger privacy laws.”

There has been increasing concern that inappropriate use of social media will impact the upcoming federal election, including whether personal information could be quietly used to target electors. Political parties are currently not subject to federal privacy laws.

“I don’t think we can be comforted that Canadian parties did not take advantage somehow of this technology,” McEvoy told reporters Thursday. “The reality is that they could.”

Therrien also said his office’s Facebook page will be taken down because he doesn’t want to be associated with a company that has found to be irresponsible to users’ personal information.